AMENDMENTS TO THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims 
in the application: 

Listing of Claims: 

1 1-66 (Canceled). 

1 67, (Currently amended) An- A computer-implemented authenticated- 

2 encryption method that uses an n-bit block cipher, a key, and an n-bit nonce to 

3 encrypt a message into a ciphertext, the method comprising: 

4 partitioning the message into m-1 message blocks and one final firagment, 

5 each message block having n bits and the final fragment having between 0 and n 

6 bits; 

7 using the block cipher, the key, and the nonce to generate a sequence of m 

8 offsets, each offset having n bits, wherein the sequence of offsets is computed by 

9 (a) computing a 0* basis offset by applying the block cipher, keyed by the key, to 

10 a constant; (b) for each positive number i, defining the i^ basis offset fi-om the 

1 1 prior basis offset by shifting the prior basis offset left one position, and then 

12 xoring the resulting value with a constant that depends on the first bit of the prior 

13 basis offset; (d) computing a base offset by applying the block cipher, keyed by 

14 the key, to the xor of the 0^ basis offset and the nonce; (e) defining the 1^^ offset 

1 5 in the sequence of offsets as the xor of the 0^^ basis offset and the base offset; and 

16 (f) for each integer i between two and m, defining the i^^ offset in the sequence of 

1 7 offsets as the xor of the prior offset and the basis offset, where j is the number 

1 8 of zero-bits following the last one-bit when the number i is written in binary; 
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19 using the block cipher, the key, the nonce, and the length of the message to 

20 generate an n-bit final offset; 

21 for each number i between 1 and m-1, xoring the i^*" message block with 

22 the i* offset to determine an i'*^ input block; 

23 for each number i between 1 and m-1, applying the block cipher, keyed by 

24 the key, to the i^^ input block, to determine an i^^ output block; 

25 for each number i between 1 and m-1, xoring the i^*^ output block with the 

26 i^*^ offset to determine an i^*^ ciphertext block; 

27 concatenating the m-1 ciphertext blocks to determine a ciphertext body; 

28 computing an encoded length by encoding the length of the final fragment 

29 as an n-bit string; 

30 xoring the encoded length with the final offset to determine a precursor 

3 1 pad; 

32 computing a pad by applying the block cipher, keyed by the key, to the 

33 precursor pad; 

34 xoring the final firagment with a portion of the pad to determine a 

35 ciphertext fragment having the same length as the final fragment; 

36 computing a padded ciphertext fi:agment by appending to the ciphertext 

37 fi-agment a sufficient nimiber of zero bits so that the padded ciphertext fi-agment 

38 has n bits; 

39 computing a checksum by xoring together the m-1 message blocks, the 

40 pad, and the padded ciphertext fragment; 

41 computing a precursor full tag by xoring together the checksum and the 

42 m'*" offset; 

43 determining a fiill tag by applying the block cipher, keyed by the key, to 

44 the precursor full tag; 

45 computing a tag as a portion of the full tag; and 
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46 defining the ciphertext to be the ciphertext body, the ciphertext fragment, 

47 and the tag. 

1 68. (Previously presented) A computer-readable storage medium storing 

2 instructions that when executed by a computer cause the computer to perform an 

3 authenticated-encryption method that uses an n-bit block cipher, a key, and an n- 

4 bit nonce to encrypt a message into a ciphertext, the method comprising: 

5 partitioning the message into m-1 message blocks and one final fragment, 

6 each message block having n bits and the final fragment having between 0 and n 

7 bits; 

8 using the block cipher, the key, and the nonce to generate a sequence of m 



9 offsets, each offset having n bits, wherein the sequence of offsets is computed by 

10 (a) computing a 0^ basis offset by applying the block cipher, keyed by the key, to 

1 1 a constant; (b) for each positive number i, defining the i^ basis offset from the 

12 prior basis offset by shifting the prior basis offset left one position, and then 

1 3 xoring the resulting value with a constant that depends on the first bit of the prior 

14 basis offset; (d) computing a base offset by applying the block cipher, keyed by 

15 the key, to the xor of the 0^^ basis offset and the nonce; (e) defining the 1'^ offset 

16 in the sequence of offsets as the xor of the 0^*^ basis offset and the base offset; and 

17 (f) for each integer i between two and m, defining the i^ offset in the sequence of 

1 8 offsets as the xor of the prior offset and the basis offset, where j is the number 

19 of zero-bits following the last one-bit when the number i is written in binary; 



20 using the block cipher, the key, the nonce, and the length of the message to 

21 generate an n-bit final offset; 

22 for each mmiber i between 1 and m-1, xoring the i^*" message block with 

23 the i^*" offset to determine an i^*" input block; 

24 for each number i between 1 and m- 1 , applying the block cipher, keyed by 

25 the key, to the i^*" input block, to determine an i^*" output block; 
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26 for each number i between 1 and m- 1 , xoring the output block with the 

27 ' i^*" offset to determine an ciphertext block; 

28 concatenating the m-1 ciphertext blocks to determine a ciphertext body; 

29 computing an encoded length by encoding the length of the final fragment 

30 as an n-bit string; 

3 1 xoring the encoded length with the final offset to determine a precursor 

32 pad; 

33 computing a pad by applying the block cipher, keyed by the key, to the 

34 precursor pad; 

35 xoring the final fi-agment with a portion of the pad to determine a 

36 ciphertext fragment having the same length as the final fi-agment; 

37 computing a padded ciphertext fragment by appending to the ciphertext 

38 fi-agment a sufficient number of zero bits so that the padded ciphertext fragment 

39 has n bits; 

40 computing a checksum by xoring together the m-1 message blocks, the 

4 1 pad, and the padded ciphertext fragment; 

42 computing a precursor full tag by xoring together the checksum and the 

43 m'*' offset; 

44 determining a fiill tag by applying the block cipher, keyed by the key, to 

45 the precursor fiill tag; 

46 computing a tag as a portion of the fiiU tag; and 

47 defining the ciphertext to be the ciphertext body, the ciphertext fragment, 

48 and the tag. 

1 69. (Currently amended) Afl rA computer-implemented authenticated- 

2 encryption method that uses an n-bit block cipher, a key, and an n-bit nonce to 

3 encrypt a message of arbitrary length into a ciphertext of the same length , the 

4 method comprising: 
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5 partitioning the message into m-1 message blocks and one final fragment, 

6 each message block having n bits and the final firagment having betv^een 0 and n 

7 bits; 

8 generating m+1 offsets using a sequence shift and xor operations, this 

9 sequence of shift and xor operations being applied to a starting value determined 

10 using the block cipher, the key, and the nonce; 

1 1 for each number i between 1 and m-1 , xoring the i^*" message block with 

12 the i^^ offset to determine an i^*^ input block; 

13 for each number i between 1 and m-1, applying the block cipher, keyed by 

14 the key, to the i^*^ input block, to determine an i^*^ output block; 

15 for each number i between 1 and m-1, xoring the i* output block with the 

16 i'*" offset to determine an i^^ ciphertext block; 

17 concatenating the m-1 ciphertext blocks to determine a ciphertext body; 

1 8 computing an encoded length by encoding the length of the final fragment 

19 as an n-bit string; 

20 xoring the encoded length with the m^^ offset to determine a precursor pad; 

21 computing a pad by applying the block cipher, keyed by the key, to the 

22 precursor pad; 

23 xoring the final fi-agment with a portion of the pad to determine a 

24 ciphertext firagment having the same length as the final fragment; 

25 computing a padded ciphertext fragment by appending to the ciphertext 

26 fi-agment a sufficient number of zero bits so that the padded ciphertext fragment 

27 has n bits; 

28 computing a checksum by xoring together the m-1 message blocks, the 

29 pad, and the padded ciphertext fragment; 

30 computing a precursor fiill tag by xoring together the checksum and the 

31 (m+lf offset; 
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32 determining a full tag by applying the block cipher, keyed by the key, to 

33 the precursor full tag; 

34 computing a tag as a portion of the full tag; and 

35 defining the ciphertext to be the ciphertext body, the ciphertext fragment, 

36 and the tag. 

1 70 (Currently amended) A computer-readable storage medium storing 

2 instructions that when executed by a computer cause the computer to perform an 

3 authenticated-encryption method that uses an n-bit block cipher, a key, and an n- 

4 bit nonce to encrypt a message of an arbitrary length into a ciphertext of the same 

5 length, the method comprising: 

6 partitioning the message into m-1 message blocks and one final fragment, 

7 each message block having n bits and the final fragment having between 0 and n 

8 bits; 

9 generating m+1 offsets using a sequence shift and xor operations, this 

10 sequence of shift and xor operations being applied to a starting value determined 

1 1 using the block cipher, the key, and the nonce; 

12 for each number i between 1 and m-1, xoring the i^^ message block with 

1 3 the i^*" offset to determine an i^*^ input block; 

14 for each number i between 1 and m-1, applying the block cipher, keyed by 

15 the key, to the i^*^ input block, to determine an i^^ output block; 

16 for each number i between 1 and m-1, xoring the i^*" output block with the 

17 i* offset to determine an i^ ciphertext block; 

18 concatenating the m-1 ciphertext blocks to determine a ciphertext body; 

19 computing an encoded length by encoding the length of the final fragment 

20 as an n-bit string; 

21 xoring the encoded length with the m^^ offset to determine a precursor pad; 



8 

EJG E:\Rogaway\ROG01-0002\Amendment C ROG01-0002.doc 



22 computing a pad by applying the block cipher, keyed by the key, to the 

23 precursor pad; 

24 xoring the final fragment with a portion of the pad to determine a 

25 ciphertext fragment having the same length as the final fragment; 

26 computing a padded ciphertext fragment by appending to the ciphertext 

27 fragment a sufficient number of zero bits so that the padded ciphertext fragment 

28 has n bits; 

29 computing a checksum by xoring together the m-1 message blocks, the 

30 pad, and the padded ciphertext fragment; 

3 1 computing a precursor full tag by xoring together the checksum and the 

32 (m+lf offset; 

33 determining a full tag by applying the block cipher, keyed by the key, to 

34 the precursor full tag; 

35 computing a tag as a portion of the full tag; and 

36 defining the ciphertext to be the ciphertext body, the ciphertext fragment, 

37 and the tag. 
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